Don t Be A Phish Deep Dive Into Authentication Techniques
|
|
- Marvin Day
- 5 years ago
- Views:
Transcription
1
2 Don t Be A Phish Deep Dive Into Authentication Techniques Hrvoje Dogan, Security Solutions Architect
3 Agenda Introduction to Phishing Hardening Your Infrastructure With Message Authentication: Sender Policy Framework (SPF) Domain Keys Identified Mail (DKIM) Domain-based Message Authentication, Reporting & Conformance (DMARC) Q&A
4 Abstract Phishing is the plague of today's communication. With modern anti-spam rendering legacy spam almost non-existent, different variants of phishing attacks are becoming the primary threat to global systems. Several authentication methods have been around for a while, but their adoption was low and not properly encouraged, and they mostly solved just parts of the problem. However, recent developments upgrade on those legacy techniques, and make message authentication, reporting and visibility part of Internet standards. This advanced session will provide an in-depth review of SPF, DKIM and DMARC, the prevalent message authentication techniques, and how Cisco Security products can utilize them. We will architect a real-world message authentication architecture and show through examples how, once implemented by all parties, it makes phishing with your identity impossible. Proper implementation of authentication techniques not only prevents you from being phished, but also helps protect your identity and brand reputation, and keeps you a reliable, trustworthy communication and business partner.
5 Content Aids Anything in blue Relates to Sender / Signer Anything in magenta Relates to Recipient / Verifier The curious fish that wants to know more Adorns the slides that are For Your Reference The caught fish is our Progress Indicator Note: Some of the concepts laid out will be abstracted/simplified for easier delivery. I will make the best effort to point out when there is more happening behind the scenes but is not practical to deliver in this session. 5
6 Introduction to Phishing
7 Brodet Dalmatian fish stew, usually served with polenta 1 kg of wild fish (scorpion fish, conger eel, angler the more the merrier) 1-2 dl of olive oil 3 onions 6 cloves of garlic 500 gr of tomatoes, diced (canned or fresh) Salt, pepper, parsley leaves, bay leaf Some wine vinegar Cut fish into large pieces. Dice onions and parsley, finely chop garlic. In a medium to large pan, heat olive oil, fry onion until glassy. Add fish and fry shortly. Add tomatoes. Add the rest of the ingredients and enough water to completely cover the fish. Cook on low to medium heat for about one hour, add water if it evaporates. The key to a good brodet is finding out the right amount of wine vinegar to add, to give the tomato sweetness a nice twang. Just experiment!
8 What Is Phishing? phish ing noun \ˈfi-shiŋ\ a scam by which an user is duped into revealing personal or confidential information which the scammer can use illicitly Merriam-Webster Online Dictionary 8
9 A Short History of Phishing First use: 1996, alt.online-service.america-online 2001 Moved to wider Internet, targeting payment systems Easy to spot messages, spelling errors 2003 Legitimate site opens in the background, phisher runs a fake login window in front. Gartner reports global cost of phishing in 2003 at 2.4 billion US$ Implemented data validation with real sites Creating completely fake Websites of imaginary banks and financial firms. 9
10 Phishing Today Country hosting most target sites: USA Top 5 countries by attacked brands: USA, UK, India, Australia, France Most phishing attacks are launched on Fridays Worldwide cost of Phishing in 2012: >1.5 billion US$ Source: RSA Online Fraud Report, Source: APWG Phishing Attack Trends Report 2Q2013,
11 Who Is Attacked? Energy sector targets in Q1: An oil and gas exploration firm with operations in Africa, Morocco, and Brazil; A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria; A natural gas power station in the UK; A gas distributor located in France; An industrial supplier to the energy, nuclear and aerospace industries; Various investment and capital firms that specialize in the energy sector. Source: Cisco TRAC Q Quarterly Threat Briefing 11
12 Hardening Your Infrastructure: SPF
13 Gregada A quick fishermen s hotpot 2 kg of fish (works best with angler fish, but even hake will do. Good with cod, too.) 1 kg of potatoes 1 onion 4-5 cloves of garlic 2 dl of white wine 2 dl of olive oil a splash of lemon juice fish stock a bunch of fresh parsley leaves a pinch of rosemary salt and pepper to taste Cut fish into large pieces. Slice onions into rings, and potatoes into 1-2 cm thick slices. Dice parsley, garlic and rosemary. In a large pot, fry onions on a little olive oil until glassy, add garlic and a little salt, and fry until onion is golden. Add a layer of potatoes, then top with a layer of fish, and top the fish with more potatoes. Add the rest of the olive oil, white wine, and top off with fish stock just to barely cover the potatoes. Add a little bit of cold water. There should be no more than 1 cm of liquid over the potatoes. Cook covered on high flame for 20 minutes. DO NOT STIR! Occasionally shake the pot instead. After 20 minutes, add lemon juice and parsley, and cook uncovered on low heat for a little while until the potatoes are soft. Before serving, let the pot rest for a while, so flavors even out. Sprinkle with olive oil in the plates.
14 Sender Policy Framework A Short Introduction Specified in RFC4408(bis) In a nutshell: Allows recipients to verify sender IP addresses by looking up DNS records listing authorized Mail Gateways for a particular domain Uses DNS TXT(16) or SPF (Type 99) Resource Records SPF RR will be obsoleted due to low use Can verify HELO and MAIL FROM identity (FQDN) 14
15 SPF Operation Work out which machines send Get incoming connection DNS TXT and/or SPF RR Parse SPF record Outgoing msg Just forward it Check remote IP, HELO/EHLO, MAIL FROM Deliver/Drop/ Quarantine 15
16 SPF Record Semantics SPF version acmilan.com IN TXT v=spf1 ip4: all Verification mechanisms 16
17 SPF Record Semantics Mechanisms and Qualifiers IP4 A PASS (+) PTR ALL NEUTRAL (?) IP6 SOFTFAIL (~) INCLUDE EXISTS FAIL (-) MX 17
18 SPF Record Examples cisco.com IN TXT v=spf1 ip4: /27 ip4: /26 ip4: /27 ip4: /24 ip4: /14 ip4: /27 ip4: /24 ip4: /16 ip4: /20 ip4: /24" " ip4: /24 ip4: /27 ip4: /26 ip4: /27 ip4: /26 ip4: /24 mx:res.cisco.com ~all amazon.com IN TXT v=spf1 include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com all amazon.ses.com IN TXT v=spf1 ip4: /22 ip4: /22 ip4: /18 ~all openspf.org IN TXT v=spf1 all 18
19 SPF Record Nesting google.com IN TXT v=spf1 include:_spf.google.com ip4: /31 ip4: /31 ~all _spf.google.com IN TXT v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all _netblocks.google.com IN TXT v=spf1 ip4: /19 ip4: /19 ip4: /20 ip4: /18 ip4: /17 ip4: /20 ip4: /16 ip4: /20 ip4: /20 ip4: /16 ~all _netblocks2.google.com IN TXT v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all _netblocks3.google.com IN TXT v=spf1 ~all Maximum of 10 mechanisms querying DNS (any other than IP4, IP6, ALL)! 19
20 What SPF Does NOT Address Primary purpose of SPF is to validate whether a message sender comes from a legitimate host Only checks Envelope From headers can still be faked Complementary technology, SenderID, checks purported sender ( Purported Responsible Address ) in the headers, but has many shortcomings Does not ensure message integrity Does not prevent intra-domain forgery 20
21 SPF Best Practices Plan to include - all in your SPF records Consider all legitimate servers sending on your behalf Make it part of security policy for roaming users to use authenticated SMTP on your gateways for sending outgoing mail Add your relay hosts HELO/EHLO identity to SPF records Create SPF records for all of your subdomains too Publish null SPF records for domains/hosts that don t send mail! nomail.domain.com. IN TXT "v=spf1 - all" Only include MX mechanism if your incoming mail servers also send outgoing mail (for now) Publish both TXT and SPF DNS Resource Records with your SPF record data. 21
22 Setting up SPF DNS Records and Configuring SPF Verification on Cisco ESA
23 Hardening Your Infrastructure: DKIM
24 (Musky) Octopus Salad Musky Octopus is Octopus smaller cousin, called muzgavac or mrkač in Croatian 2 kg of Musky Octopus (regular octopus will do too) 2 large-ish potatoes a bunch of fresh parsley 10 cloves of garlic 1 dl of olive oil juice of 1 lemon wine vinegar to taste salt and freshly ground pepper to taste Deep freeze the (cleaned) octopus. This makes it softer and easier to cook. Dice potatoes in small cubes, and cook them. Put octopus in cold water, and cook over low flame for 40-ish minutes from boiling. If there is skin on them, you will know it s done when the skin starts falling off. Drain them, let them cool down and peel the skin. Dice the octopus in 1 cm cubes. Finely chop garlic and parsley. Add salt, pepper, lemon juice, 3 tbsp of wine vinegar, parsley, garlic and olive oil to diced octopus. Add potatoes. Mix well. Serve cold.
25 Domain Keys Identified Mail A Short Introduction Specified in RFC5585 Additional RFCs: RFC6376 (DKIM Signatures), RFC5863 (DKIM Development, Deployment and Operation), RFC5617 (Author Domain Signing Practices (ADSP)) In a nutshell: Specifies methods for gateway-based cryptographic signing of outgoing messages, embedding verification data in an header, and ways for recipients to verify integrity of the messages Uses DNS TXT records to publish public keys 25
26 DKIM Operation Generate keypair Receive msg Outgoing msg Canonicalize + Sign DNS TXT RR Parse DKIM- Signature Verify b and bh Insert DKIM-Signature Deliver/Drop/ Quarantine 26
27 DKIM Signature Example DKIM-Signature Header Algorithms used Signing Domain ID Signed Headers Header Hash Body Hash Canonicalization scheme DKIM- Signature: v=1; a=rsa- sha256; c=relaxed/relaxed; Selector d=gmail.com; s= ; h=mime- version:date:message- id:subject:from:to:content- type; bh=pmd4zyid1vn/f7rzay6leon+d+w+adlvsr6i0zryofa=; b=n3ebxt5dwnbeissypkt6zokheb8ju51f4x8h2bkhdwk9ypok8duu4zglh srfefcvf+/2xepnqaivtkme0h7zti8yvv6ldeqtjqqwqq/ra7wsn4tjg4b JAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nLEm0gLnXYsh Uvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ96KitB6iPFq ufiotazwmhifnl+nhr06v0pwscqhssccuk0etdu9uqyf8bdn4opkhg7tz SyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2YIfeXgFRg== 27
28 DKIM Signature Algorithms RSA-SHA1 or RSA-SHA256 Signers MUST Verifiers MUST Signers SHOULD Verifiers MUST Max. practical key length 512 bits 1024 bits 2048 bits Verifiers MUST Signers MUST (for long-lived keys) Verifiers MUST Verifiers MAY 28
29 DKIM Signature Canonicalization Process of adapting the message content for signing to compensate for minor changes by MTAs in transit MUST NOT change the transmitted data in any way; just its presentation Two canonicalization schemes are supported for both headers and body: Simple (almost no modification tolerated) Relaxed (some modification, like header name case changes, line wrapping, whitespace replacement allowed) 29
30 DKIM Signature Header Canonicalization Simple Header Canonicalization No changes to headers Retains order, case and whitespacing Relaxed Header Canonicalization Header names -> lowercase Unfolds all multiline headers Replaces sequences of WSP characters with a single WSP Deletes WSP characters at EOL Deletes WSP before and after the colon separating the field name from the value 30
31 DKIM Signature Header Canonicalization in Action Return- Path: v- X- Original- To: Delivered- To: Received: from mx1.hc4-93.c3s2.smtpi.com (esa1.hc4-93.c3s2.smtpi.com [ ]) by rotkvica.dir.hr (Postfix) with ESMTP id B08562ABC01E for Thu, 26 Dec :03: (CET) Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of v- designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from=v- x- sender=v- x- conformance=sidf_compatible; x- record- type="v=spf1 Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of designates as permitted sender) identity=helo; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from=v- x- x- conformance=sidf_compatible; x- record- type="v=spf1 Authentication- Results: mx1.hc4-93.c3s2.smtpi.com; dkim=pass (signature verified) X- IronPort- Anti- Spam- Filtered: true 31
32 DKIM Signature Header Canonicalization in Action return- path:v- x- original- delivered- received:from mx1.hc4-93.c3s2.smtpi.com (esa1.hc4-93.c3s2.smtpi.com [ ]) by rotkvica.dir.hr (Postfix) with ESMTP id B08562ABC01E for Thu, 26 Dec :03: (CET) received- spf:pass (mx1.hc4-93.c3s2.smtpi.com: domain of v- designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from=v- x- sender=v- x- conformance=sidf_compatible; x- record- type="v=spf1 received- spf:pass (mx1.hc4-93.c3s2.smtpi.com: domain of designates as permitted sender) identity=helo; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from=v- x- x- conformance=sidf_compatible; x- record- type="v=spf1 authentication- results:mx1.hc4-93.c3s2.smtpi.com; dkim=pass (signature verified) x- ironport- anti- spam- filtered:true 32
33 DKIM Signature Body Canonicalization Simple Body Canonicalization No changes to the message, except: removes any empty lines at the end of the message body adds CRLF at the end of the message body, if not already there Relaxed Body Canonicalization Simple Canonicalization, plus: Ignores all WSP characters at EOL Replaces sequences of WSP characters in a line into a single WSP 33
34 DKIM Signature Example DKIM-Signature Header Algorithms used Signing Domain ID Signed Headers Header Hash Body Hash Canonicalization scheme DKIM- Signature: v=1; a=rsa- sha256; c=relaxed/relaxed; Selector d=gmail.com; s= ; h=mime- version:date:message- id:subject:from:to:content- type; bh=pmd4zyid1vn/f7rzay6leon+d+w+adlvsr6i0zryofa=; b=n3ebxt5dwnbeissypkt6zokheb8ju51f4x8h2bkhdwk9ypok8duu4zglh srfefcvf+/2xepnqaivtkme0h7zti8yvv6ldeqtjqqwqq/ra7wsn4tjg4b JAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nLEm0gLnXYsh Uvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ96KitB6iPFq ufiotazwmhifnl+nhr06v0pwscqhssccuk0etdu9uqyf8bdn4opkhg7tz SyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2YIfeXgFRg== 34
35 DKIM Signature Signing Domain ID and Selector Signing Domain ID (SDID) Identifies the entity claiming responsibility for the signed message Must correspond to a valid DNS name under which a DKIM key is published Selector Enables publishing of multiple keys per signing domain Use cases: Periodic key rotations Delegating/splitting signing authority for different OUs Delegating signing authority to 3 rd parties Allowing roaming users to sign their own messages 35
36 DKIM Signature Example DKIM-Signature Header Algorithms used Signing Domain ID Signed Headers Header Hash Body Hash Canonicalization scheme DKIM- Signature: v=1; a=rsa- sha256; c=relaxed/relaxed; Selector d=gmail.com; s= ; h=mime- version:date:message- id:subject:from:to:content- type; bh=pmd4zyid1vn/f7rzay6leon+d+w+adlvsr6i0zryofa=; b=n3ebxt5dwnbeissypkt6zokheb8ju51f4x8h2bkhdwk9ypok8duu4zglh srfefcvf+/2xepnqaivtkme0h7zti8yvv6ldeqtjqqwqq/ra7wsn4tjg4b JAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nLEm0gLnXYsh Uvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ96KitB6iPFq ufiotazwmhifnl+nhr06v0pwscqhssccuk0etdu9uqyf8bdn4opkhg7tz SyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2YIfeXgFRg== 36
37 DKIM Public Key Retrieval DNS query: <selector>._domainkey.<sdid> For our example: _domainkey.gmail.com IN TXT k=rsa\; p=miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqea1kd87/uejjenpabg bfwh+ebcsstrqmwiyyvywlbhbqoo2dymndfkbjovipildns/m40kf+yzmn1skyo xctugcqs8g3fgd2ap3zb5dekao5wmmk4wimdo+u8qzi3sd0" "7y2+07wlNWwIt 8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIh kx4xysic9oswvmal5octmeewuwg8istjqz8bzetwbf41fbnhte7y+yqzowq1s d0dbvyad9nozk9vlfuac0598hy+vtsbczuikerhv1yrbcaqtzfh5wtirrn04b LUTD21MycBX5jYchHjPY/wIDAQAB 37
38 DKIM Signature Anatomy of the DKIM-Signature Header Mandatory tags V A D S H B BH Optional tags C I L Z Recommended tags T X 38
39 DKIM Signature Tags Expanded View Required signature tags: v, a, d, s, h, b, bh Optional signature tags: c defaults to simple/simple i Agent or User ID usually corresponds to sender s address l Body length z Copied header fields, separated by used for diagnostics Recommended signature tags: t Signature timestamp in Unix Epoch time, GMT x Signature expiration in Unix Epoch time, GMT. Must be greater than t time 39
40 DKIM Public Key Anatomy of the DKIM DNS Record Mandatory tags P Optional tags H=SHA1 K=RSA S= T=Y T=S G N Recommended tags V=DKIM1 40
41 DKIM Public Key Expanded Tags Only p tag is required Optional tags: h acceptable hash algorithms k key type n notes (for human interpretation) s service type g key granularity; local part of the i tag of the signature must be equal to it t flags y This domain is testing DKIM s if i tag is used in signature, domain part of the i tag must be equal to d tag. Recommended to be present if no subdomains are used. Recommended tags: v Version of the DKIM key record. If present, must be DKIM1. 41
42 DKIM Public Key Examples iport._domainkey.cisco.com IN TXT v=dkim1\; s= \; p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcctxghjnvnpdcqljm6a/ 0otvdpzFIJuo73OYFuw6/8bXcf8/p5JG/iME1r9fUlrNZs3kMn9ZdPYvTyRbyZ0 UyMrsM3ZN2JAIop3M7sitqHgp8pbORFgQyZxq+L23I2cELq+qwtbanjWJzEPpV vrvbuz9ql8cuts+v5n5ldq8l/lwidaqab\; lufthansa3._domainkey.lufthansa.com IN TXT g=*\; k=rsa\; t=y\; n="contact with any questions concerning this signing"\; p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqda7e WF9kW/HY6ppS6g3U6Be0JRfu59Iv3oYgW+ztDJK1HsLf/hmah4buPBtVaGb CagDNN7wK12uhs6ko6f4SulZpwqVdtp1R6jujvW56hcNhx4RJ0E17mefniciwYfQx DhQmE8lkUzJR4BXWuKsPSSSy/pT3rM+LusuTAbFWKsMQIDAQAB\; 42
43 Choosing Your DKIM Parameters Make the best use of selectors Periodic key rotation Delegation of signing authority Sacrificing security for performance If you must, consider weakening your signatures in the following order: Reduce the signing key size (and combine with selector rotation) Use simple for body canonicalization Use simple for headers canonicalization Change signing algorithm to sha-1 However, RFC6376 says: Signers MUST implement and SHOULD sign using rsa- sha256 43
44 Configuring DKIM Signing and Verification Using Cisco ESA
45 DKIM Advertisement Problem and ADSP The biggest problem of DKIM is that there is no straightforward advertising Unsigned messages can come in unverified ADSP (Author Domain Signing Practices, RFC5617) is an extension to DKIM A DNS-based method for sender domains to advertise that they are signing messages A simple TXT record at _adsp._domainkey.<domain>, containing just: dkim=unknown all discardable ADSP is obsoleted as of November 2013 due to lack of deployment _adsp._domainkey.yahoo.com IN TXT dkim=unknown 45
46 Hardening Your Infrastructure: DMARC
47 Sardines on a spit Traditional dish of fishermen from the island of Vis 1 kg of fresh sardines coarse-grain sea salt a branch of fresh rosemary olive oil This extremely simple dish is a secret specialty of fishermen from Croatia s most remote island, Vis. Do google it. The recipe includes a bit of DIY: You need to make (well, or buy) a thin spit out of non-taninreleasing wood. Bay leaf branches work best. The spit should be up to 1 cm wide, as thin as possible, and sharp at one end. Dip the branch of rosemary in little olive oil. Wipe the sardines with a rough cloth to remove the scales, and let them covered in sea salt for about half an hour, to make the fish firmer. Slide the fish on the spit so the spit is always under the spine. Place the spit over burning coal, with spine facing up. This is critical, because if you miss sides, fish will fall off as you turn it. Grill it for a few minutes, then turn once, grill for another few minutes, and set aside in a pot, cover, and let them sit for a few more minutes. Never turn the fish more than once. Sprinkle with rosemary-infused olive oil, and serve with potato salad, or freshly baked bread. This is probably the crudest, and best way to cook sardines. Enjoy!
48 DMARC is designed to prevent bad actors from sending mail which claims to come from legitimate senders, particularly senders of transactional . One of the primary uses of this kind of spoofed mail is phishing draft-kucherawy-dmarc-base-02 IETF Network Working Group
49 Moving Towards DMARC Both DKIM and SPF have shortcomings, not because of bad design, but because of different nature of each technology DKIM policy advertising was addressed by ADSP, but: There was no visibility by spoofed parties into offending traffic Even though a receiver implemented both SPF and DKIM verification, there was no requirement of the two technologies being in sync A smart attacker might make use of this to push illegitimate messages through SPF checks HELO/MAILFROM identity, but no verification or alignment of Header From is ensured Thus, DMARC was born: Leveraging great existing technologies, providing a glue to keep them in sync, and allowing senders to mandate rejection policies and have visibility of offending traffic 49
50 DMARC Operation Publish SPF SPF (or TXT) DNS RR Check SPF Align Identifiers Publish DKIM DKIM (TXT) DNS RR Check DKIM Apply DMARC Policy Publish DMARC DMARC (TXT) DNS RR Fetch DMARC Policy Send DMARC Report(s) Outgoing msg Insert DKIM-Signature Check SPF on Header From 50
51 DMARC Policy Example of a DMARC DNS Record Version Failure policy Sampling rate _dmarc.amazon.com IN TXT v=dmarc1\; p=quarantine\; pct=100\; rua=mailto:dmarc- reports@bounces.amazon.com\; ruf=mailto:dmarc- reports@bounces.amazon.com Failure Reports URI Aggregate Reports URI 51
52 DMARC Policy Policy Specification and Slow Start Policies requested by senders: None Quarantine Reject Receivers MAY deviate from requested policies, but SHOULD inform the sender why (through Aggregate Report) Sampling rate ( p tag) instructs the receiver to only apply policy to a fraction of messages 52
53 DMARC Policy Reporting URIs mailto: and URIs supported Two distinct report types: Aggregate report Sent on an interval Summary of all incidents from a particular sender domain Failure report Sent on (every) failure Detailed report on individual failures 53
54 DMARC Policy Anatomy of the DMARC DNS Record Mandatory tags V=DMARC1 P Optional tags PCT SP ADKIM ASPF RI RUA RF FO RUF 54
55 DMARC Policy Adherence to SPF/DKIM Sender can request Strict ( s ) or Relaxed ( r, default) adherence to DKIM and SPF DKIM ( adkim ): Relaxed: Header From FQDN can be a subdomain of d tag of DKIM signature Strict: Header From FQDN must completely match the d tag of DKIM SPF ( aspf ): Relaxed: Header From domain can be a subdomain of SPF-Authenticated (MAIL FROM) domain Strict: Header From domain must match MAIL FROM domain 55
56 DMARC Policy Failure Reporting Two supported Report Formats ( rf ): afrf Authentication Failure Reporting Format, defined in RFC6591, and extended by draft-kucherawydmarc-base (default) iodef Incident Object Description Exchange Format, defined in RFC5070 Failure reporting options ( fo ), separated by colons in the Policy Record: 0 : generate a report if all underlying mechanisms fail to align and pass (default) 1 : generate a report if any underlying mechanisms fail to align and pass d : generate a DKIM failure report if DKIM verification fails, regardless of alignment s : generate an SPF failure report for failed SPF verification, regardless of alignment 56
57 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; 57
58 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; facebook.com._report._dmarc.ruf.agari.com 58
59 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; facebook.com._report._dmarc.ruf.agari.com 59
60 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; facebook.com._report._dmarc.ruf.agari.com 60
61 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; facebook.com._report._dmarc.ruf.agari.com IN TXT v=dmarc1 61
62 DMARC Record Examples _dmarc.google.com IN TXT v=dmarc1\; p=quarantine\; rua=mailto:mailauth- _dmarc.cs.helsinki.fi IN TXT v=dmarc1\; p=reject\; sp=reject\; pct=100\; aspf=r\; rua=mailto:dmarc- _dmarc.microsoft.com IN TXT v=dmarc1\; p=none\; pct=100\; fo=1 _dmarc.dk- hostmaster.dk IN TXT v=dmarc1\; p=none\; rua=mailto:dmarc- hostmaster.dk\; ruf=mailto:dmarc- hostmaster.dk\; adkim=r\; aspf=r\; rf=afrf 62
63 DMARC Identifier Alignment When Does A Message Pass? DMARC authenticates the domain from Header From DKIM authenticates the domain from DKIM-Signature ( d tag) SPF authenticates domains from MAIL FROM or HELO identities Identifier Alignment is a concept of alignment between Header From and identifiers checked by DKIM and SPF Message passes DMARC check if one or more of the authentication mechanisms (DKIM and/or SPF) pass with proper alignment 63
64 DMARC Policy Anatomy of the DMARC DNS Record Mandatory tags V=DMARC1 P Optional tags PCT SP ADKIM ASPF RI RUA RF FO RUF 64
65 DMARC Policy Adherence to SPF/DKIM Sender can request Strict ( s ) or Relaxed ( r, default) adherence to DKIM and SPF DKIM ( adkim ): Relaxed: Header From FQDN can be a subdomain of d tag of DKIM signature Strict: Header From FQDN must completely match the d tag of DKIM SPF ( aspf ): Relaxed: Header From domain can be a subdomain of SPF-Authenticated (MAIL FROM) domain Strict: Header From domain must match MAIL FROM domain 65
66 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test 66
67 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test 67
68 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s 68
69 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s MAIL FROM: <hrdogan@cisco.com> From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 69
70 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s MAIL FROM: <hrdogan@cisco.com> From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 70
71 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s MAIL FROM: <hrdogan@cisco.com> From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test MAIL FROM: <hdogan@linux.hr> From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 71
72 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s MAIL FROM: <hrdogan@cisco.com> From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test MAIL FROM: <hdogan@linux.hr> From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 72
73 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 73
74 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s 74
75 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 75
76 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 76
77 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test DKIM- Signature: v=1; [ ] d=linux.hr;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 77
78 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test DKIM- Signature: v=1; [ ] d=linux.hr;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test Multiple DKIM signatures? Any must validate and align. 78
79 DMARC How to start 1. Correctly deploy DKIM and SPF 2. Make sure that your identifiers will align 3. Publish a DMARC record with p=none, gather rua and ruf reports for a while 4. Analyze the data and modify your mail streams (or DKIM/SPF parameters) 5. Apply reject or quarantine policy 79
80 DMARC How to Delegate Create a subdomain for your 3 rd party mailers Provide them with your DKIM signing key Make sure adkim is set to strict, and aspf set to relaxed if needed Received: from mta3.e.tripadvisor.com ([ ]) by mx1.hc4-93.c3s2.smtpi.com with ESMTP; 01 Jan :16: Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of bounce _HTML @bounce.e.tripadvisor.com designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from="bounce _HTML @bounce.e.tripadvisor.com"; x- sender="bounce _HTML @bounce.e.tripadvisor.com"; x- conformance=sidf_compatible; x- record- type="v=spf1 DKIM- Signature: v=1; a=rsa- sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com; h=from:to:subject:date:list- Unsubscribe:MIME- Version:Reply- To:Message- ID:Content- Type; i=members@e.tripadvisor.com; bh=zncj7ir0d/hc0m9uybyzydudczq=; b=afqcdgz2vg8z38jbi8xku +c8vp3q89jcmlptrfo1otrv21ujsqgw1fkcfbzglzxnyque8tlgqjy2akacav2yiizpogw6phnmmdmmxg2i5ufgqvipfzezvtu Q/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ= From: "TripAdvisor" <members@e.tripadvisor.com> 80
81 DMARC How to Delegate Create a subdomain for your 3 rd party mailers Provide them with your DKIM signing key Make sure adkim is set to strict, and aspf set to relaxed if needed Received: from mta3.e.tripadvisor.com ([ ]) by mx1.hc4-93.c3s2.smtpi.com with ESMTP; 01 Jan :16: Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of bounce _HTML @bounce.e.tripadvisor.com designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from="bounce _HTML @bounce.e.tripadvisor.com"; x- sender="bounce _HTML @bounce.e.tripadvisor.com"; x- conformance=sidf_compatible; x- record- type="v=spf1 DKIM- Signature: v=1; a=rsa- sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com; h=from:to:subject:date:list- Unsubscribe:MIME- Version:Reply- To:Message- ID:Content- Type; i=members@e.tripadvisor.com; bh=zncj7ir0d/hc0m9uybyzydudczq=; b=afqcdgz2vg8z38jbi8xku +c8vp3q89jcmlptrfo1otrv21ujsqgw1fkcfbzglzxnyque8tlgqjy2akacav2yiizpogw6phnmmdmmxg2i5ufgqvipfzezvtu Q/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ= From: "TripAdvisor" <members@e.tripadvisor.com> 81
82 DMARC How to Delegate Create a subdomain for your 3 rd party mailers Provide them with your DKIM signing key Make sure adkim is set to strict, and aspf set to relaxed if needed Received: from mta3.e.tripadvisor.com ([ ]) by mx1.hc4-93.c3s2.smtpi.com with ESMTP; 01 Jan :16: Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of bounce _HTML @bounce.e.tripadvisor.com designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from="bounce _HTML @bounce.e.tripadvisor.com"; x- sender="bounce _HTML @bounce.e.tripadvisor.com"; x- conformance=sidf_compatible; x- record- type="v=spf1 DKIM- Signature: v=1; a=rsa- sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com; h=from:to:subject:date:list- Unsubscribe:MIME- Version:Reply- To:Message- ID:Content- Type; i=members@e.tripadvisor.com; bh=zncj7ir0d/hc0m9uybyzydudczq=; b=afqcdgz2vg8z38jbi8xku +c8vp3q89jcmlptrfo1otrv21ujsqgw1fkcfbzglzxnyque8tlgqjy2akacav2yiizpogw6phnmmdmmxg2i5ufgqvipfzezvtu Q/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ= From: "TripAdvisor" <members@e.tripadvisor.com> 82
83 DMARC How to Delegate Create a subdomain for your 3 rd party mailers Provide them with your DKIM signing key Make sure adkim is set to strict, and aspf set to relaxed if needed Received: from mta3.e.tripadvisor.com ([ ]) by mx1.hc4-93.c3s2.smtpi.com with ESMTP; 01 Jan :16: Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of bounce _HTML @bounce.e.tripadvisor.com designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from="bounce _HTML @bounce.e.tripadvisor.com"; x- sender="bounce _HTML @bounce.e.tripadvisor.com"; x- conformance=sidf_compatible; x- record- type="v=spf1 DKIM- Signature: v=1; a=rsa- sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com; h=from:to:subject:date:list- Unsubscribe:MIME- Version:Reply- To:Message- ID:Content- Type; i=members@e.tripadvisor.com; bh=zncj7ir0d/hc0m9uybyzydudczq=; b=afqcdgz2vg8z38jbi8xku +c8vp3q89jcmlptrfo1otrv21ujsqgw1fkcfbzglzxnyque8tlgqjy2akacav2yiizpogw6phnmmdmmxg2i5ufgqvipfzezvtu Q/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ= From: "TripAdvisor" <members@e.tripadvisor.com> 83
84 DMARC deployment using Cisco ESA
85 Don t Be A Phish Deploy DMARC! DMARC provides Easy, simple and powerful existing-standards-based message authentication Flexibility and gradual deployment A chance to clean up your mail flows and tighten up messaging security Easy protection from most phishing attacks both as phish and as bait! and endless opportunities for corny fish jokes. DON T BE A PHISH. IT S SIMPLE. 85
86 For More Information Presentation videos: 86
87 Image credits Most photography on title slides courtesy of Novi List, used with permission of the Editor of Photography. Authors of photography: Sergej Drechsler, Petar Fabijan, Marko Gracin, Roni Brmalj, Damir Škomrlj, Silvano Ježina, Livio Černjul Original artwork for icons and progress indicator done in ink on paper by Ivica Matić, Special credits go to Helenka, for her relentless work on producing these slides 87
88 Call to Action Visit the World of Solutions:- Cisco Campus Cisco Security Walk-in Labs Technical Solutions Clinics Hrvoje Dogan, Dan Griffin, Tom Foucha, Scott Bower Meet the Engineer Lunch Time Table Topics, held in the main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit 88
89 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 89
90
M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012
M 3 AAWG DMARC Training Series Mike Adkins, Paul Midgen DMARC.org October 22, 2012 M3AAWG DMARC Training Videos (2.5 hours of training) This is Segment 3 of 6 The complete series of DMARC training videos
More informationM 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012
M 3 AAWG DMARC Training Series Mike Adkins, Paul Midgen DMARC.org October 22, 2012 M3AAWG DMARC Training Videos (2.5 hours of training) This is Segment 1 of 6 The complete series of DMARC training videos
More informationTowards authentication
Towards email authentication TLS SPF + DKIM + DMARC 2012/10/03 Roberto Innocente 1 Who adopted it? Hotmail.com Gmail.com AOL.com Verizon.com Ebay Paypal Yahoo.com 2012/10/03 Roberto Innocente 2 Tls/SPF/DKIM/DMARC
More informationSecuring, Protecting, and Managing the Flow of Corporate Communications
Securing, Protecting, and Managing the Flow of Corporate Communications Getting mailflow right Dave Stork Technical Consultant OGD ict-diensten QR: URL to Presentation Who am I? Dave Stork Technical consultant
More informationISSN: March Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Independent Submission Request for Comments: 7489 Category: Informational ISSN: 2070-1721 M. Kucherawy, Ed. E. Zwicky, Ed. Yahoo! March 2015 Domain-based Message Authentication, Reporting, and Conformance
More informationAnti-Spoofing. Inbound SPF Settings
Anti-Spoofing SonicWall Hosted Email Security solution allows you to enable and configure settings to prevent illegitimate messages from entering your organization. Spoofing consists of an attacker forging
More informationCommunicator. Branded Sending Domain July Branded Sending Domain
Branded Sending Domain Communicator Branded Sending Domain July 2017 Version 2.1 This document includes instructions on how to set up a new sender domain and ensure this is configured correctly. Contents
More information2016 Online Trust Audit Authentication Practices Deep Dive & Reality Check
2016 Online Trust Audit Email Authentication Practices Deep Dive & Reality Check July 20, 2016 Craig Spiezle Executive Director Online Trust Alliance https://otalliance.org/dmarc 2016 All rights reserved.
More informationDKIM Implementation How
DKIM Implementation How Murray S. Kucherawy Principal Engineer, Cloudmark June 8, 2009 Planning Your Deployment Selecting Key Rotation Policy How long do your keys live? Similar in nature to your password
More informationOffice 365: Secure configuration
Office 365: Secure email configuration Published September 2017 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created
More informationBased on material produced by among others: Sanjay Pol, Ashok Ramaswami, Jim Fenton and Eric Allman
DKIM Patrik Fältström Based on material produced by among others: Sanjay Pol, Ashok Ramaswami, Jim Fenton and Eric Allman September 22, 2005 1 What is Domain Keys Identified Mail? Method of using cryptographic
More informationM 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012
M 3 AAWG DMARC Training Series Mike Adkins, Paul Midgen DMARC.org October 22, 2012 M3AAWG DMARC Training Videos (2.5 hours of training) This is Segment 6 of 6 The complete series of DMARC training videos
More informationGetting Started with DMARC A Guide for Federal Agencies Complying with BOD 18-01
Getting Started with DMARC A Guide for Federal Agencies Complying with BOD 18-01 The DHS Mandate Adopt DMARC for Email Security On October 16, 2017, the U.S. Department of Homeland Security issued a Binding
More informationDesign and Implementation of a DMARC Verification Result Notification System
Proceedings of the APAN Research Workshop 2016 ISBN 978-4-9905448-6-7 Design and Implementation of a DMARC Verification Result Notification System Naoya Kitagawa, Toshiki Tanaka, Masami Fukuyama and Nariyoshi
More informationGetting Started with DMARC. A Guide for Federal Agencies Complying with BOD 18-01
Getting Started with DMARC A Guide for Federal Agencies Complying with BOD 18-01 The DHS Mandate - Adopt DMARC for Email Security in 90 Days On October 16, 2017, the U.S. Department of Homeland Security
More informationBest Practices. Kevin Chege
Email Best Practices Kevin Chege Why your email setup is critical Billions of SPAM emails are generated every day The tips here can help you to reduced the chances of you receiving SPAM email or inadvertently
More informationDomainKeys Identified Mail Overview (-01) Eric Allman Sendmail, Inc.
DomainKeys Identified Mail Overview (-01) Eric Allman Sendmail, Inc. Overview of DKIM Cryptography-based protocol, signs selected header fields and message body Intended to: Enable reliable domain name
More informationTrendMicro Hosted Security. Best Practice Guide
TrendMicro Hosted Email Security Best Practice Guide 1 Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. The names of companies,
More informationDesigning an open source DMARC aggregation tool
Research project 2 Designing an open source DMARC aggregation tool Yadvir Singh supervised by Michiel Leenaars August 17, 2016 Abstract DMARC provides a standard for interaction between a domain owner
More informationFRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks
EMAIL FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks Brian Westnedge bwestnedge@proofpoint.com November 8, 2017 1 2017 Proofpoint, Inc. THE BUSINESS PROBLEM BUSINESS EMAIL COMPROMISE
More informationOn the Surface. Security Datasheet. Security Datasheet
Email Security Datasheet Email Security Datasheet On the Surface No additional hardware or software required to achieve 99.9%+ spam and malware filtering effectiveness Initiate service by changing MX Record
More informationSecurity by Any Other Name:
Security by Any Other Name: On the Effectiveness of Provider Based Email Security Ian Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, and Kirill Levchenko University of California, San
More informationSecurity Protection
Email Security Protection Loay Alayadhi Abstract: Email is the most important business communication tool. Security has been an issue in mail from ancient times. Therefore, email security protection has
More informationbuilding an effective action plan for the Department of Homeland Security
Customer Guide building an effective action plan for the Department of Homeland Security Binding The recently issued directive from the Department of Homeland Security (DHS), Binding Operational Directive
More informationSPF (Sender Policy Framework)
SPF (Sender Policy Framework) Harpreet Singh Riat (hsr22@bath.ac.uk) 1 Agenda What s SPF? Why is it needed? How does it work? Who uses it? 2 Security flaws in SMTP Flaw: SMTP allows any computer to send
More informationDKIM Implementation. Segment 4 of 4 on DomainKeys Identified Mail. MAAWG Training Series
DKIM Implementation MAAWG Training Series Segment 4 of 4 on DomainKeys Identified Mail From the onsite training course at the MAAWG 18 th General Meeting San Francisco, February 2010 DKIM Implementation
More informationOver 99% of s are SPAM! Useless for mankind!
Advanced Mail Introduction SPAM vs. non-spam Mail sent by spammer vs. non-spammer Problem of SPAM mail Over 99% of E-mails are SPAM! Useless for mankind! SPAM detection? Client-based detection These methods
More informationDKIM Implementation. Messaging Anti-Abuse Working Group. Segment 3 of 4 on DomainKeys Identified Mail. MAAWG Training Series
Messaging Anti-Abuse Working Group DKIM Implementation MAAWG Training Series Segment 3 of 4 on DomainKeys Identified Mail From the onsite training course at the MAAWG 18 th General Meeting San Francisco,
More informationBuilding a Scalable, Service-Centric Sender Policy Framework (SPF) System
Valimail White Paper February 2018 Building a Scalable, Service-Centric Sender Policy Framework (SPF) System Introduction Sender Policy Framework (SPF) is the protocol by which the owners of a domain can
More informationMarketing 201. March, Craig Stouffer, Pinpointe Marketing (408) x125
Email Marketing 201 Tips to Increase Email Delivery (aka Why Good Email Goes Bad ) March, 2009 Craig Stouffer, Pinpointe Email Marketing cstouffer@pinpointe.com (408) 834-7577 x125 Gary Halliwell CEO,
More informationi-mscp OpenDKIM plugin
2019/01/23 02:32 1/5 i-mscp OpenDKIM plugin Bear in mind that this documentation is for the last available version. If you use an older version, you must refer to the README.md file inside the plugin archive.
More informationCisco Security. Deployment and Troubleshooting. Raymond Jett Technical Marketing Engineer, Cisco Content Security.
Cisco Email Security Deployment and Troubleshooting Raymond Jett Technical Marketing Engineer, Cisco Content Security Cisco Secure 2014 1 Agenda Email Security Deployment Devices Deployment Methods Virtual
More informationTracking Messages
This chapter contains the following sections: Tracking Service Overview, page 1 Setting Up Centralized Message Tracking, page 2 Checking Message Tracking Data Availability, page 4 Searching for Email Messages,
More informationSPF classic. Przemek Jaroszewski CERT Polska / NASK The 17th TF-CSIRT and FIRST joint Event, Amsterdam, January 2006
SPF classic Przemek Jaroszewski CERT Polska / NASK The 17th TF-CSIRT and FIRST joint Event, Amsterdam, 23-25 January 2006 Agenda What is SPF and how does it work? History and current status Mitigations
More informationDMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok
DMARC ADOPTION AMONG SaaS 1000 Q1 2018 Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok TABLE OF CONTENTS Introduction... 03 Research Overview... 04 SaaS 1000... 05 DMARC Adoption Among SaaS
More informationDMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok
DMARC ADOPTION AMONG SaaS 1000 Q1 2018 Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok TABLE OF CONTENTS Introduction... 03 Research Overview... 04 SaaS 1000... 05 DMARC Adoption Among SaaS
More informationDMARC Continuing to enable trust between brand owners and receivers
DMARC Continuing to enable trust between brand owners and receivers February 2014 1 DMARC Defined DMARC stands for: Domain-based Message Authentication, Reporting & Conformance (pronounced dee-mark ) 2
More informationPhishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO
Phishing Discussion Pete Scheidt Lead Information Security Analyst California ISO 2 Phish What is Phishing Types of Phish 3 Phish What is Phishing Attackers (Phishers) would email (cast their nets) far
More informationStep 2 - Deploy Advanced Security for Exchange Server
Step 2 - Deploy Advanced Email Security for Exchange Server Step 1. Ensure Connectivity and Redundancy Open your firewall ports to allow the IP address ranges based on your Barracuda Email Security Service
More informationUK Healthcare: DMARC Adoption Report Security in Critical Condition
UK Healthcare: DMARC Adoption Report Email Security in Critical Condition Executive Summary Email is one of the primary digital channels for digital engagement. But email has never been secure. Phishing
More informationM 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012
M 3 AAWG DMARC Training Series Mike Adkins, Paul Midgen DMARC.org October 22, 2012 M3AAWG DMARC Training Videos (2.5 hours of training) This is Segment 1 of 6 The complete series of DMARC training videos
More informationCisco Threat Intelligence Director (TID)
The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Requirements for Threat Intelligence Director, page 4 How To Set Up, page 6 Analyze TID Incident
More informationUsing Centralized Security Reporting
This chapter contains the following sections: Centralized Email Reporting Overview, on page 1 Setting Up Centralized Email Reporting, on page 2 Working with Email Report Data, on page 4 Understanding the
More informationTest-king q
Test-king 700-280 64q Number: 700-280 Passing Score: 800 Time Limit: 120 min File Version: 28.5 http://www.gratisexam.com/ 700-280 Email Security for Field Engineers Passed on 2-02-15 with an 890. Dump
More informationAgari Global DMARC Adoption Report: Open Season for Phishers
Agari Global DMARC Adoption Report: Open Season for Phishers Executive Summary Based on Agari research of public DNS records, 92 percent of all Fortune 500 companies have left their customers and business
More informationDKIM Interoperability Event Report. Murray S. Kucherawy Tony Hansen Michael Thomas
DKIM Interoperability Event Report Murray S. Kucherawy Tony Hansen Michael Thomas 12/4/2007 October 24-25 Hosted by Alt-N in Dallas, TX, USA (thanks Arvel
More informationTable of Contents. Electronic mail. History of (2) History of (1) history. Basic concepts. Aka (or according to Knuth)
Table of Contents Electronic mail Aka e-mail (or email according to Knuth) Karst Koymans Informatics Institute University of Amsterdam (version 17.7, 2017/10/03 11:29:40 UTC) Friday, September 29, 2017
More informationFinal exam in. Web Security EITF05. Department of Electrical and Information Technology Lund University
Final exam in Web Security EITF05 Department of Electrical and Information Technology Lund University October 22 nd, 2013, 8.00-13.00 You may answer in either Swedish or English. If any data is lacking,
More informationDelany Expires September, 2005 [Page 1]
INTERNET DRAFT Mark Delany, Editor Title: draft-delany-domainkeys-base-02.txt Yahoo! Inc Expires: 24 September 2005 25 March 2005 Domain-based Email Authentication Using Public-Keys Advertised in the DNS
More informationAn Executive s FAQ About Authentication
An Executive s FAQ About Email Authentication Understanding how email authentication helps your organization protect itself from phishing with an approach that s radically different from other security
More informationA Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01
Table of Contents Introduction... 2 Required Actions Overview... 2 Required Actions Email Security... 3 Required Actions Web Security... 9 Status of Implementation... 11 Roles and Responsibilities... 11
More informationDMARC ADOPTION AMONG e-retailers
DMARC ADOPTION AMONG e-retailers Q1 2018 Almost 90% of Top US and EU e-retailer Domains Fail to Protect Consumers from Phishing Attacks Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok TABLE
More informationDMARC ADOPTION AMONG
DMARC ADOPTION AMONG Top US Colleges and Universities Q1 2018 Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok TABLE OF CONTENTS Introduction... 03 Research Overview... 04 Top US Colleges
More informationVendor: Cisco. Exam Code: Exam Name: ESFE Cisco Security Field Engineer Specialist. Version: Demo
Vendor: Cisco Exam Code: 650-153 Exam Name: ESFE Cisco Email Security Field Engineer Specialist Version: Demo Question No : 1 In the C-160's factory default configuration, which interface has ssh enabled
More informationAbout Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014
2014 Email Integrity Audit Fighting Malicious & Deceptive Email August 13, 2014 Craig Spiezle Executive Director & President, OTA Mike Jones Director of Product Management, Agari About Us The Online Trust
More informationTrustwave SEG Cloud BEC Fraud Detection Basics
.trust Trustwave SEG Cloud BEC Fraud Detection Basics Table of Contents About This Document 1 1 Background 2 2 Configuring Trustwave SEG Cloud for BEC Fraud Detection 5 2.1 Enable the Block Business Email
More informationUnderstanding the Pipeline
This chapter contains the following sections: Overview of the Email Pipeline, page 1 Email Pipeline Flows, page 2 Incoming / Receiving, page 4 Work Queue / Routing, page 6 Delivery, page 10 Overview of
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 19 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear, the Board's access to other sources
More informationTeach Me How: B2B Deliverability in a B2C World
Teach Me How: B2B Deliverability in a B2C World Chris Arrendale CEO & Principal Deliverability Strategist Inbox Pros (www.inboxpros.com) @Arrendale Agenda - Outline Delivery versus Deliverability Provisioning
More information2 Technical Report
2 2.1 Introduction The summarizes the latest trends in spam, technical counter measures to spam, etc. For trends in spam, the results of a variety of analyses conducted based on various information obtained
More informationDMARC ADOPTION AMONG
DMARC ADOPTION AMONG Top US Colleges and Universities Q1 2018 Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok TABLE OF CONTENTS Introduction... 03 Research Overview... 04 Top US Colleges
More informationDeliverability Terms
Email Deliverability Terms The Purpose of this Document Deliverability is an important piece to any email marketing strategy, but keeping up with the growing number of email terms can be tiring. To help
More informationDefining Which Hosts Are Allowed to Connect Using the Host Access Table
Defining Which Hosts Are Allowed to Connect Using the Host Access Table This chapter contains the following sections: Overview of Defining Which Hosts Are Allowed to Connect, page 1 Defining Remote Hosts
More informationDMARC ADOPTION AMONG e-retailers
DMARC ADOPTION AMONG e-retailers Q1 2018 Almost 90% of Top US and EU e-retailer Domains Fail to Protect Consumers from Phishing Attacks Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok TABLE
More informationD. Crocker, Ed. Intended status: Standards Track January 25, 2009 Expires: July 29, 2009
DKIM D. Crocker, Ed. Internet-Draft Brandenburg InternetWorking Intended status: Standards Track January 25, 2009 Expires: July 29, 2009 RFC 4871 DomainKeys Identified Mail (DKIM) Signatures -- Errata
More informationSMTP Relay set up. Technical team
Technical team 09/08/2016 Summary Introduction... 3 SMTP Relay service description... 3 Presentation of our service... 4 Service set-up... 5 Infrastructure... 5 Set-up... 5 Customer sending authentication...
More informationTracking Messages. Message Tracking Overview. Enabling Message Tracking. This chapter contains the following sections:
This chapter contains the following sections: Message Tracking Overview, page 1 Enabling Message Tracking, page 1 Searching for Messages, page 2 Working with Message Tracking Search Results, page 4 Checking
More informationAuthentication GUIDE. Frequently Asked QUES T ION S T OGETHER STRONGER
Email Authentication GUIDE Frequently Asked QUES T ION S T OGETHER STRONGER EMAIL AUTHENTICATION Marketers that use email for communication and transactional purposes should adopt and use identification
More informationInternet Engineering Task Force (IETF) Request for Comments: 6591 April 2012 Category: Standards Track ISSN:
Internet Engineering Task Force (IETF) H. Fontana Request for Comments: 6591 April 2012 Category: Standards Track ISSN: 2070-1721 Authentication Failure Reporting Using the Abuse Reporting Format Abstract
More informationEPV TECHNOLOGIES NEWSLETTER April 2018
EPV TECHNOLOGIES NEWSLETTER April 2018 TECH PAPERS WLM and Container Pricing - Part 2 TECH NEWS IBM ztechnical University 2018 TECH NOTES EPV for MQ V14 entered MA TECH SUPPORT New MIPS tables including
More informationSMTP Settings for Magento 2
For more details see the Delete Order for Magento 2 extension page. SMTP Email Settings for Magento 2 Send only reliable emails from a popular local hosting or a custom Magento 2 SMTP server. Run tests
More informationSender Reputation Filtering
This chapter contains the following sections: Overview of, on page 1 SenderBase Reputation Service, on page 1 Editing Score Thresholds for a Listener, on page 4 Entering Low SBRS Scores in the Message
More informationMail Assure. Quick Start Guide
Mail Assure Quick Start Guide Last Updated: Wednesday, November 14, 2018 ----------- 2018 CONTENTS Firewall Settings 2 Accessing Mail Assure 3 Application Overview 4 Navigating Mail Assure 4 Setting up
More informationDKIM Base Issue Review IETF 66 Montréal. Eric Allman
DKIM Base Issue Review IETF 66 Montréal Eric Allman 2006-07-11 1287: Signature Removal https://rt.psg.com/ticket/display.html?id=1287 http://mipassoc.org/pipermail/ietfdkim/2006q2/003764.html Remove sentence
More informationESFE Cisco Security Field Engineer Specialist
ESFE Cisco Email Security Field Engineer Specialist Number: 650-153 Passing Score: 825 Time Limit: 60 min File Version: 4.3 http://www.gratisexam.com/ Exam A QUESTION 1 In the C-160's factory default configuration,
More informationCISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1
CISCO BORDERLESS NETWORKS 2009 Cisco Systems, Inc. All rights reserved. 1 Creating New Business Models The Key Change: Putting the Interaction Where the Customer Is Customer Experience/ Innovation Productivity/
More informationanti-spam techniques beyond Bayesian filters
anti-spam techniques beyond Bayesian filters Plain Old SMTP protocol overview Grey-Listing save resources on receiver side Authentication of Senders Sender ID Framework DomainKeys signingbased IP-based
More informationDefining Which Hosts Are Allowed to Connect Using the Host Access Table
Defining Which Hosts Are Allowed to Connect Using the Host Access Table This chapter contains the following sections: Overview of Defining Which Hosts Are Allowed to Connect, on page 1 Defining Remote
More informationIntroduction to programming (LT2111) Lecture 1: Introduction
Introduction to programming (LT2111) Lecture 1: Introduction Richard Johansson September 2, 2014 Introduction & Administration The main goal of the course is that you will learn how to program using the
More informationUntitled Page. Help Documentation
Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2018 SmarterTools Inc. Antispam Administration SmarterMail comes equipped with a number
More informationSMTP Scanner Creation
SMTP Scanner Creation GWAVA4 Copyright 2009. GWAVA, Inc. All rights reserved. Content may not be reproduced without permission. http://www.gwava.com SMTP Scanner SMTP scanners allow the incoming and outgoing
More informationCisco Security:
Cisco Email Security: Best Practices and Fine Tuning Usman Din, Product Manger Email Security BRKSEC-2131 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this
More informationDeep Sea Phishing: Examples & Countermeasures
Deep Sea Phishing: Examples & Countermeasures Phishing is impersonation of a person or brand. Our focus is email-based phishing. Phishing is not malware, spam, or xss, although these often coincide. Current
More informationHOLIDAY DELIVERABILITY STAY OFF THE NAUGHTY LIST & GET TO THE INBOX HOLIDAY DELIVERABILITY WEBINAR
HOLIDAY DELIVERABILITY STAY OFF THE NAUGHTY LIST & GET TO THE INBOX 1 MEET YOUR SPEAKERS Karen Balle Director of Deliverability, BlueHornet Tom Sather Sr. Director, Research, Return Path TODAY S AGENDA
More informationForward set up. Technical team
Forward set up Technical team 09/04/2015 Summary Introduction... 3 Forward service description... 3 Presentation of our service... 3 Service set-up... 5 Infrastructure... 5 Set-up... 5 Customer sending
More informationMail Assure Quick Start Guide
Mail Assure Quick Start Guide Version: 11/15/2017 Last Updated: Wednesday, November 15, 2017 CONTENTS Getting Started with Mail Assure 1 Firewall Settings 2 Accessing Mail Assure 3 Incoming Filtering 4
More information2015 Online Trust Audit & Honor Roll Methodology
2015 Online Trust Audit & Honor Roll Methodology Jeff Wilbur VP Marketing, Iconix Craig Spiezle Executive Director & President, OTA 2015 All rights reserved. Online Trust Alliance (OTA) Slide 1 Who Is
More informationAnti-Spam. Overview of Anti-Spam Scanning
This chapter contains the following sections: Overview of Scanning, on page 1 How to Configure the Appliance to Scan Messages for Spam, on page 2 IronPort Filtering, on page 3 Cisco Intelligent Multi-Scan
More informationCAMELOT Configuration Overview Step-by-Step
General Mode of Operation Page: 1 CAMELOT Configuration Overview Step-by-Step 1. General Mode of Operation CAMELOT consists basically of three analytic processes running in a row before the email reaches
More informationEPV TECHNOLOGIES NEWSLETTER August 2018
EPV TECHNOLOGIES NEWSLETTER August 2018 TECH PAPERS Controlling z/os job delays at a glance with MyEPV Quick View TECH NEWS EPV User Group 2018 Agenda, event and dinner TECH NOTES Getting Started with
More informationPineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO
PineApp Mail Secure SOLUTION OVERVIEW David Feldman, CEO PineApp Mail Secure INTRODUCTION ABOUT CYBONET CORE EXPERIENCE PRODUCT LINES FACTS & FIGURES Leader Product Company Servicing Multiple Vertical
More informationIntroduction. Logging in. WebMail User Guide
Introduction modusmail s WebMail allows you to access and manage your email, quarantine contents and your mailbox settings through the Internet. This user guide will walk you through each of the tasks
More informationInternet Engineering Task Force (IETF) Cloudmark September 2011
Internet Engineering Task Force (IETF) Request for Comments: 6376 Obsoletes: 4871, 5672 Category: Standards Track ISSN: 2070-1721 D. Crocker, Ed. Brandenburg InternetWorking T. Hansen, Ed. AT&T Laboratories
More informationA Buyer s Guide to DMARC
0800 133 7127 support@lawyerchecker.co.uk A Buyer s Guide to DMARC Meet the cyber security protocol that reduces phishing attacks and improves email deliverability 1971 First email sent 1982 SMTP established
More informationCustom Plugin A Solution to Phishing and Pharming Attacks
Custom Plugin A Solution to Phishing and Pharming Attacks Omer Mahmood School of Information Technology Charles Darwin University Darwin, NT, Australia Abstract - This paper proposes a new method to detect,
More informationD. Crocker, Ed. Updates: RFC4871 June 10, 2009 (if approved) Intended status: Standards Track Expires: December 12, 2009
DKIM D. Crocker, Ed. Internet-Draft Brandenburg InternetWorking Updates: RFC4871 June 10, 2009 (if approved) Intended status: Standards Track Expires: December 12, 2009 RFC 4871 DomainKeys Identified Mail
More informationComendo mail- & spamfence
Upgrade Guide Resellers Comendo mail- & spamfence VERSION 10-05-2016 TABLE OF CONTENTS INTRODUCTION... 3 OVERVIEW... 4 1. Preparation... 4 2. Provisioning... 4 3. Upgrade... 4 4. Finalisation... 4 COMPARISON...
More informationREPORT. proofpoint.com
REPORT proofpoint.com Email fraud, also known as business email compromise (BEC), is one of today s greatest cyber threats. These socially engineered attacks seek to exploit people rather than technology.
More informationSecurity Hands-On Lab
Email Security Hands-On Lab Ehsan A. Moghaddam Consulting Systems Engineer Nicole Wajer Consulting Systems Engineer LTRSEC-2009 Ehsan & Nicole Ehsan Moghaddam Consulting Systems Engineer @MoghaddamE EMEAR
More informationCiphermail Webmail Messenger Administration Guide
CIPHERMAIL EMAIL ENCRYPTION Ciphermail Webmail Messenger Administration Guide October 27, 2017, Rev: 8630 Copyright 2013-2017, ciphermail.com. CONTENTS CONTENTS Contents 1 Introduction 4 2 Admin login
More information